eWEEK content and product recommendations are editorially independent. We may earn money when you click on links to our partners. Learn more.
Google has reached a major cybersecurity milestone with the discovery of a critical 20-year-old software bug in the OpenSSL library. The discovery is part of Google’s ongoing work on OSS-Fuzz, a project aimed at finding and reporting software bugs in open source projects. Using AI-generated and enhanced fuzz targets (essentially automated tests designed to discover vulnerabilities), Google recently identified 26 new vulnerabilities, including the OpenSSL bug (CVE-2024-9143).
This achievement is notable because traditional human-written fuzz targets failed to discover the bug, which had been hidden in OpenSSL’s critical code base for two decades. AI-generated fuzz targets explored previously untested code paths, enabling the discovery of vulnerabilities that might otherwise have gone undetected. This breakthrough highlights how artificial intelligence transforms vulnerability detection and improves open source software security.
How AI software made this possible
The breakthrough is fueled by a large language model (LLM) integrated into Google’s fuzzing workflow. This AI software improves coverage by automating tasks that traditionally required manual effort, including:
- Writing Fuzz Targets: The LLM generates targeted tests based on the project-specific context.
- Fixing compilation errors: It iteratively resolves issues during the fuzz target creation process.
- Running initial tests: AI refines fuzz targets by resolving execution issues.
- Triage and analysis: Crashes are analyzed to determine their root causes and whether they represent valid vulnerabilities.
This iterative process expanded code coverage to 272 projects, significantly improving testing.
Key vulnerabilities discovered
In addition to the OpenSSL bug, Google discovered a vulnerability in cJSON projectdemonstrating the effectiveness of AI-generated fuzz targets in projects previously tested with human-written harnesses. These results highlight that even well-tested software can contain undetected flaws.
Traditional metrics like line coverage often fail to account for all possible paths and code states, making them fuzzy AI-generated targets. an important and useful tool to strengthen security.
The way forward for Google’s AI products
Google plans to push the boundaries of AI-based vulnerability detection even further. Upcoming goals include automating sorting processes to reduce human oversight, integrating AI tools directly into the OSS-Fuzz platform, and enabling LLMs to autonomously generate fixes for vulnerabilities discovered.
By incorporating agent-based architectures, which enable AI models To use the debugging tools and validate the results, Google aims to create a fully automated end-to-end software bug detection and fixing solution.
Google’s discovery highlights the transformative potential of AI tools to secure critical infrastructure. As AI models evolve, they promise to uncover hidden vulnerabilities faster and more efficiently than ever before, ensuring that open source projects remain robust and protected from exploitation.